In previous postings we have talked about HITRUST certification and compliance requirements, understanding the HITRUST certification process, and scoring HITRUST CSF controls, but one question we hear constantly is, “What is the benefit of getting HITRUST certified?”
Security Concerns in Healthcare & How to Alleviate Them
Over the past few years, healthcare organizations have seen a lot of breaches, 2015 recorded 112 million records breached, 2016 had 23.7 million, and 2017 had 5.6 million according to Protenus. While the trend of the number of records being breached has fallen, 2017 still recorded 477 total breaches, or more than 1 per day. Not good.
If you are a healthcare organization or you provide services to them, securing your infrastructure and applications is critical to the growth and reputation of your organization. This is especially important if you are a small to medium sized organization that cannot afford even the smallest breach. In 2017, data breaches cost an organization an average of $380 per record not to mention the loss of public trust. A single breach could destroy your company.
That was a lot of bad news…so let’s talk about some good news: by implementing sound security controls and following industry best practices, you can significantly reduce the chance of being breached.
The Problem with Healthcare Compliance
If you are in the healthcare business you are probably very familiar with all these regulations: HITECH, HIPAA, NIST, PCI, FTC, ISO, COBIT, GDPR, etc. Trying to make sure you are compliant with all of these regulations takes a lot of time and money and, let’s face it, few companies have unlimited resources, so you are probably stuck with limited budget, time, and resources.
I have talked with some organizations that are in a perpetual audit period, one compliance audit after another and constantly filling out security request forms. Also, many of the regulations are non-prescriptive or ambiguous, as anyone who has tried to read and understand what “reasonable and appropriate” means in the HIPAA requirements can tell you.
What is the HITRUST CSF
I could rewrite what the HITRUST Common Security Framework (CSF) provides, but HITRUST does a pretty good job:
According to HITRUST: “The HITRUST CSF was developed to address the multitude of security, privacy and regulatory challenges facing organizations. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls..
The HITRUST CSF:
- Includes, harmonizes, and cross-references existing, globally recognized standards, regulations and business requirements, including ISO, NIST, PCI, HIPAA, and state laws
- Scales controls according to type, size, and complexity of an organization
- Provides prescriptive requirements to ensure clarity
- Follows a risk-based approach offering multiple levels of implementation requirements determined by specific risk thresholds
- Allows for the adoption of alternate controls when necessary
- Evolves according to user input and changing conditions in the industry and regulatory environment on an annual basis
- Provides an industry-wide approach for managing Business Associate compliance”
Basically the HITRUST CSF helps reduce complexity, risk, and cost while increasing the security posture of the organization.
The Top Four Benefits of HITRUST Certification
So what are the benefits of getting HITRUST certified? There are many but I decided to break it down to the top four.
Meet customer and client needs: This is an easy one, and really the primary reason why organizations look towards HITRUST: your client asked that you get HITRUST certified or else they will leave or are not going to sign-up. Pretty cut and dry. But to add to that, having a 3rd Party validated certification shows that your organization meets or exceeds the requirements defined in the HITRUST CSF and allows your business to have a competitive advantage over other organizations who do not have this. It’s great for marketing to be able to put the HITRUST badge on your website or publications, which can drive business your way since organizations already know you are using an industry approved framework and a certain level of security.
Reduce time dedicated to audits: While the HITRUST Certification cannot be used in lieu of certain compliance obligations – for example PCI – it is possible some clients will waive requirements and most clients take the certification instead of requiring a specific response to all the questions on the security questionnaires. It also significantly reduces the time and cost by putting almost all the requirements from multiple regulations into one place to help identify risk and maturity. Having a central location to view and track compliance helps make sure you do not run into any issues when a secondary audit, like PCI, is required.
Enhance Security Posture: The HITRUST certification process is much more in-depth and prescriptive than other regulations and frameworks. For example, some other regulations do not focus on system hardening, event logging, data retention, etc. or do not go to the depth that the HITRUST CSF does. The HITRUST CSF pulls from multiple places like NIST, HITECH, and HIPAA, which forces an organization to do a comprehensive review of the environment. Having eyes on more parts of the environment helps identify risks and gaps which, when fixed, increases the security posture and reduces the organization’s overall risk.
Help and Organization Understand its Risks and Growth Opportunities: With many regulations, organizations push to do the bare minimum to pass and leave it be. They do not go back to assess growth in their organization or attempt to identify any gaps that those regulations may not cover. The HITRUST framework allows an organization to identify risks and areas for maturity and provides a tool to track progress and growth with regards the overall security of the environment.
How do I get HITRUST Certified?
Isaac Clark has written a few blog posts on understanding the certification process and how to score CSF controls but I wanted to add a few additional notes based on our experience helping clients get certified.
- It is not something to do on a whim, you need to dedicate time and resources in order to be successful
- The first year is going to be difficult and time consuming
- The HITRUST Framework requires an organization look at compliance against a maturity model which includes Policy, Process, Implementation, Measure, and Manage. This means for each control there are five responses required.
- It’s big… see No. 3 above. If you have a scope of 450 control (average), that is 2,250 responses and pieces of evidence that needs to be collected for each one that is scored.
- It will require changes and updates to your policies, standards, and processes (or the creation of them).
- It is not cheap… there is a cost for access to the tool, reports, premium modules, time and resources to implement internally, and then the 3rd party assessment.
How can Linford & Co Help?
While the whole process may seem daunting, and I am going to be honest, it can be the most painful and tedious thing you have done in a long time, it can also be a very positive, eye-opening, and a smooth process if you have the right partner helping you through the process. Getting HITRUST certified can be a heavy lift and requires expertise in the maturity model, healthcare regulations, NIST controls, policy/standards/process development and more.
As a HITRUST Authorized CSF Assessor, Linford & Co has over 25 years of NIST control experience, in-depth knowledge of the HITRUST Framework, healthcare experience, and since we rely on the expert model, we can answer your questions right away and the audit is focused and efficient.
If you have been asked by one of your clients for a HITRUST validated certification, looking to add it to your marketing, or want to use the framework to enhance your security, please feel free to reach out to Linford & Co and we can walk you through the processes and pricing.
Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.